feat: In gix read http.sslVerify config value and pass it to gix-tran…

…sport.
GitoxideLabs · Byron · Dec 1, 2023 · Nov 29, 2023 · Dec 1, 2023 · Nov 29, 2023
commit c6e83cf69f1a17e9ba3010bcce3a4ddd3305424c
diff --git a/gix/src/config/tree/sections/http.rs b/gix/src/config/tree/sections/http.rs
@@ -10,6 +10,9 @@ impl Http {
         .with_deviation(
             "accepts the new 'default' value which means to use the curl default just like the empty string does",
         );
+    /// The `http.sslVerify` key.
+    pub const SSL_VERIFY: keys::Boolean = keys::Boolean::new_boolean("sslVerify", &config::Tree::HTTP)
+        .with_deviation("Only supported when using curl as https backend");
     /// The `http.proxy` key.
     pub const PROXY: keys::String =
         keys::String::new_string("proxy", &config::Tree::HTTP).with_deviation("fails on strings with illformed UTF-8");

diff --git a/gix/src/repository/config/transport.rs b/gix/src/repository/config/transport.rs
@@ -405,6 +405,17 @@ impl crate::Repository {
                         }
                     }
 
+                    {
+                        let key = "http.sslVerify";
+                        opts.ssl_verify = config
+                            .boolean_filter_by_key(key, &mut trusted_only)
+                            .map(|value| config::tree::Http::SSL_VERIFY.enrich_error(value))
+                            .transpose()
+                            .with_leniency(lenient)
+                            .map_err(config::transport::http::Error::from)?
+                            .unwrap_or(true);
+                    }
+
                     #[cfg(feature = "blocking-http-transport-curl")]
                     {
                         let key = "http.schannelCheckRevoke";

diff --git a/gix/tests/fixtures/make_config_repos.sh b/gix/tests/fixtures/make_config_repos.sh
@@ -164,3 +164,8 @@ mkdir not-a-repo-with-files;
 (cd not-a-repo-with-files
   touch this that
 )
+
+git init no-ssl-verify
+(cd no-ssl-verify
+  git config http.sslVerify false
+)
diff --git a/gix/tests/repository/config/transport_options.rs b/gix/tests/repository/config/transport_options.rs
@@ -55,6 +55,7 @@ mod http {
             verbose,
             ssl_ca_info,
             ssl_version,
+            ssl_verify,
             http_version,
             backend,
         } = http_options(&repo, None, "https://example.com/does/not/matter");
@@ -106,6 +107,9 @@ mod http {
                 max: version
             })
         );
+
+        assert!(ssl_verify, "SSL verification is enabled by default if not configured");
+
         assert_eq!(http_version, Some(HttpVersion::V1_1));
     }
 
@@ -314,4 +318,13 @@ mod http {
         assert_eq!(opts.proxy.as_deref(), Some("http://localhost:9090"));
         assert_eq!(opts.follow_redirects, FollowRedirects::Initial);
     }
+
+    #[test]
+    fn no_ssl_verify() {
+        let repo = repo("no-ssl-verify");
+
+        let opts = http_options(&repo, None, "https://example.com/does/not/matter");
+
+        assert!(!opts.ssl_verify);
+    }
 }
diff --git a/src/plumbing/progress.rs b/src/plumbing/progress.rs
@@ -408,10 +408,6 @@ static GIT_CONFIG: &[Record] = &[
         config: "http.sslCipherList",
         usage: NotPlanned { reason: "on demand" }
     },
-    Record {
-        config: "http.sslVerify",
-        usage: NotPlanned { reason: "on demand" }
-    },
     Record {
         config: "http.sslCert",
         usage: NotPlanned { reason: "on demand" }